Gogs flaw let attackers overwrite LFS files across repositories until 0.14.2 fix

Gogs has patched a critical security flaw that could let attackers overwrite Git Large File Storage objects across repositories on the same server. The issue, tracked as CVE-2026-25921, affects Gogs versions 0.14.1 and earlier, and the project now lists 0.14.2 as the patched release.

This bug matters because it can quietly tamper with files that teams trust, including binaries, datasets, installers, and build artifacts stored through Git LFS. GitHub’s reviewed advisory says the issue can enable a supply-chain attack, and users downloading the altered LFS object from the webpage may see no warning at all.

The sample article you shared gets one major point wrong: it says no patch exists. A patch does exist. Gogs fixed the issue in version 0.14.2, and the release notes specifically list this security problem under the fixes for that version.

What CVE-2026-25921 does

According to GitHub’s reviewed advisory for Gogs, the vulnerability allows cross-repository LFS object overwrite via missing content hash verification. The advisory says all LFS objects hosted on a vulnerable Gogs server can be maliciously overwritten.

The flaw exists because Gogs stores LFS objects in a shared location rather than isolating them by repository, and because it does not properly verify that an uploaded file’s content matches the SHA-256 hash the client claims. That combination lets an attacker upload a different file while reusing the object ID of a target file already stored on the same instance.

In practical terms, an attacker can replace a trusted file from one repository by uploading malicious content from another repository, as long as the server accepts the claimed object ID. That is why this issue creates a serious integrity risk for shared self-hosted Gogs environments.

Affected and patched versions

Here is the official version status based on the reviewed advisory and Gogs release notes.

Product	Affected versions	Patched version
Gogs	0.14.1 and earlier	0.14.2

That means administrators should stop treating this as an unpatched issue. The correct remediation is to update to Gogs 0.14.2 as soon as possible.

Severity and risk

The sample article says the flaw has a CVSS 3.1 score of 10.0. The reviewed GitHub advisory lists the severity as Critical with a CVSS v3 score of 9.3, not 10.0. It also lists the vector as AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L.

That score reflects the main danger here: high integrity impact. The bug does not mainly expose confidential data. Instead, it lets attackers silently change files that other developers, CI pipelines, or users may trust. That makes it especially serious for internal package distribution and software delivery workflows. This is an inference based on the advisory’s integrity-heavy scoring and its supply-chain warning.

Why this Gogs vulnerability is so dangerous

Many Git teams use LFS to store large artifacts outside the main repository history. Those files often include installers, model weights, archives, media assets, and other files that downstream systems later consume automatically.

If an attacker can overwrite those objects without triggering a warning, they may poison a release pipeline or replace a trusted dependency with a backdoored one. GitHub’s advisory explicitly warns that a supply-chain attack is possible, which makes this more than a normal repository bug.

The same advisory also notes that a victim who downloads the LFS object from the webpage gets no warning. That silent behavior increases the chance that tampering goes unnoticed until after the compromised file spreads further.

How the flaw works

GitHub’s reviewed advisory explains the problem in two parts. First, Gogs stores all LFS objects in the same place, with no repository ID in the storage path. Second, Gogs does not verify uploaded LFS content against the SHA-256 object ID the client claims.

The advisory’s proof of concept shows a normal upload to one repository followed by a crafted upload from another repository using the same object ID. After that second upload, the original content gets overwritten.

That means the weakness is not just theoretical. The advisory includes a working demonstration and ties the bug directly to the way Gogs handles shared LFS storage and trust in client-supplied hashes.

What Gogs fixed in 0.14.2

Gogs published version 0.14.2 on February 19, 2026. In the release notes, the project lists this exact issue under the “Fixed” section as: Security: Cross-repository LFS object overwrite via missing content hash verification.

That release note is the clearest official sign that admins should move to 0.14.2. It also confirms that the project maintainers recognized the bug as a security issue, not just a logic error or data consistency problem.

What administrators should do now

If you run a self-hosted Gogs instance, patching should come first.

• Upgrade all Gogs servers running 0.14.1 or earlier to 0.14.2.
• Review which repositories use Git LFS for build artifacts, release packages, or datasets.
• Recheck the integrity of high-value LFS objects that users or pipelines downloaded recently.
• Restrict account creation and upload permissions on shared instances until patching is complete.
• Review CI and release workflows that trust LFS-hosted artifacts without extra verification.

The last three items are defensive best practices based on the nature of the vulnerability and the advisory’s supply-chain warning.

Quick facts

Item	Details
CVE	CVE-2026-25921
Product	Gogs
Issue	Cross-repository LFS object overwrite
Root cause	Shared LFS storage plus missing content hash verification
Affected versions	0.14.1 and earlier
Fixed version	0.14.2
Severity	Critical
CVSS v3	9.3
Main risk	Silent tampering and supply-chain compromise

FAQ